|
03-14-2004, 12:14 PM
|
#1 (permalink) |
|
Junkie
|
popup galore
this is on my lappy here...
it always has popups and stuff trying to install... once it turns on it does... i dont have to do anything or run anything.. please help heres a list i got from hijack this of startup stuff.. please help StartupList report, 14/03/2004, 12:10:46 PM StartupList version: 1.52 Started from : C:\DOCUME~1\Jim\LOCALS~1\Temp\Rar$EX00.893\HijackThis.EXE Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ISS\BlackICE\blackd.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\ISS\BlackICE\rapapp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\LTSMMSG.exe C:\WINDOWS\System32\tp4serv.exe C:\WINDOWS\System32\RunDll32.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Documents and Settings\Jim\Application Data\dooe.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe C:\WINDOWS\System32\wcpsu.exe C:\Program Files\ISS\BlackICE\blackice.exe C:\PROGRA~1\ICQ\ICQ.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\DOCUME~1\Jim\LOCALS~1\Temp\Rar$EX00.893\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Jim\Start Menu\Programs\Startup] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe BlackICE Utility.lnk = ? Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IgfxTray = C:\WINDOWS\System32\igfxtray.exe HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe LTSMMSG = LTSMMSG.exe TrackPointSrv = tp4serv.exe BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor TP4EX = tp4ex.exe TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe UC_SMB = AGRSMMSG = AGRSMMSG.exe QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime Mirabilis ICQ = C:\PROGRA~1\ICQ\ICQNet.exe TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl WINT = C:\WINDOWS\System32\wcpsu.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S "%3" -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\System32\mshta.exe "%1" %* -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{306D6C21-C1B6-4629-986C-E59E1875B8AF}] * StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.QuietInstall.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE= drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} -------------------------------------------------- Enumerating Task Scheduler jobs: BMMTask.job Low Battery Alarm Program.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [Microsoft XML Parser for Java] CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd [Yahoo! Chat] CODEBASE = http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chat.osd [Checkers Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab [RdxIE Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll CODEBASE = http://software-dl.real.com/183bba77...p/RdxIE601.cab [MS3DViewerOCX Control] InProcServer32 = C:\PROGRA~1\MILKSH~1\MS3DVI~1.OCX CODEBASE = http://www.swissquake.ch/chumbalum-s...DViewerOCX.cab [{62475759-9E84-458E-A1AB-5D2C442ADFDE}] CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab [MessengerStatsClient Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll CODEBASE = http://messenger.zone.msn.com/binary...tatsClient.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.co...8004.123900463 [NsvPlayX Control] InProcServer32 = C:\PROGRA~1\COMMON~1\NSV\NSVPLA~1.DLL CODEBASE = http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\System32\mswsock.dll NameSpace #2: C:\WINDOWS\System32\winrnr.dll NameSpace #3: C:\WINDOWS\System32\mswsock.dll Protocol #1: C:\WINDOWS\system32\mswsock.dll Protocol #2: C:\WINDOWS\system32\mswsock.dll Protocol #3: C:\WINDOWS\system32\mswsock.dll Protocol #4: C:\WINDOWS\system32\mswsock.dll Protocol #5: C:\WINDOWS\system32\rsvpsp.dll Protocol #6: C:\WINDOWS\system32\rsvpsp.dll Protocol #7: C:\WINDOWS\system32\mswsock.dll Protocol #8: C:\WINDOWS\system32\mswsock.dll Protocol #9: C:\WINDOWS\system32\mswsock.dll Protocol #10: C:\WINDOWS\system32\mswsock.dll Protocol #11: C:\WINDOWS\system32\mswsock.dll Protocol #12: C:\WINDOWS\system32\mswsock.dll Protocol #13: C:\WINDOWS\system32\mswsock.dll Protocol #14: C:\WINDOWS\system32\mswsock.dll Protocol #15: C:\WINDOWS\system32\mswsock.dll Protocol #16: C:\WINDOWS\system32\mswsock.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system) Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system) aeaudio: system32\drivers\aeaudio.sys (manual start) Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start) AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start) Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start) Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) BlackICE driver, version 1.0, by Internet Security Systems, Inc.: \??\C:\WINDOWS\System32\drivers\BlackDrv.sys (disabled) BlackICE: "C:\Program Files\ISS\BlackICE\blackd.exe" (autostart) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start) Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start) ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start) Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start) Concord Eye-Q Duo 2000 USB Video Capture V1.01: system32\drivers\CoachCap.sys (autostart) Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system) COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Crypkey License: crypserv.exe (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) CSMBATT: System32\drivers\CSMBATT.SYS (system) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) dmio: System32\drivers\dmio.sys (disabled) dmload: System32\drivers\dmload.sys (disabled) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start) Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start) IBM eGatherer Diagnostics: \??\C:\WINDOWS\System32\EGATHDRV.SYS (manual start) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start) Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) ialm: System32\DRIVERS\ialmnt5.sys (manual start) IBMPMDRV: System32\DRIVERS\ibmpmdrv.sys (manual start) IBM PM Service: %SystemRoot%\System32\ibmpmsvc.exe (autostart) IBMTPCHK: System32\drivers\IBMBLDID.SYS (system) IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start) IntelIde: System32\DRIVERS\intelide.sys (system) IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start) IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (system) IrDA Protocol: System32\DRIVERS\irda.sys (autostart) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Lucent Technologies Soft Modem: System32\DRIVERS\LTSM.sys (manual start) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start) NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start) NAVAP: \??\C:\WINDOWS\System32\Drivers\NAVAP.SYS (manual start) Norton AntiVirus Auto Protect Service: C:\Program Files\Norton AntiVirus\navapsvc.exe (autostart) NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040303.038\NAVENG.Sys (manual start) NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040303.038\NavEx15.Sys (manual start) Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBT: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (manual start) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NetworkX: \SystemRoot\system32\ckldrv.sys (system) Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (manual start) PCANDIS5 Protocol Driver: \??\C:\WINDOWS\system32\PCANDIS5.SYS (manual start) Pcdr Helper Driver: \??\C:\PROGRA~1\PC-DOC~1\PCDRDRV.sys (manual start) PCI Bus Driver: System32\DRIVERS\pci.sys (system) Pcmcia: System32\DRIVERS\pcmcia.sys (system) SMC2632W V.2 Wireless PC Card: System32\DRIVERS\smcpcmxp.sys (manual start) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Processor Driver: System32\DRIVERS\processr.sys (system) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) PxHelp20: System32\DRIVERS\PxHelp20.sys (system) Logitech QuickCam Express: System32\DRIVERS\OVCD.sys (manual start) QCONSVC: System32\QCONSVC.EXE (autostart) RapApp: C:\Program Files\ISS\BlackICE\rapapp.exe (autostart) RapDrv: \??\C:\WINDOWS\System32\drivers\RapDrv.sys (system) RapFile: \??\C:\WINDOWS\System32\drivers\RapFile.sys (system) RapNet: \??\C:\WINDOWS\System32\drivers\RapNet.sys (system) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart) Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (manual start) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start) smwdm: system32\drivers\smwdm.sys (manual start) Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Filter Driver: System32\DRIVERS\sr.sys (system) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Srv: System32\DRIVERS\srv.sys (manual start) SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start) StyleXPHelper: \??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe (system) StyleXPService: "C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe" (autostart) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{96D519E6-3893-473C-BDD8-6EE807F5DB04} (manual start) SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start) SYMREDRV: \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (manual start) SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart) Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) TDOEM: System32\Drivers\TDOEM.SYS (system) Terminal Device Driver: System32\DRIVERS\termdd.sys (system) Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) IBM PS/2 TrackPoint Driver: System32\DRIVERS\tp4track.sys (manual start) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start) USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start) USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start) Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start) VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system) Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start) Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) AIM 3.0 Part 01 Codec Driver VCH-A: system32\drivers\Vch.sys (manual start) AIM 3.0 Part 01 Codec Driver CH-7009-A: system32\drivers\wA301a.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\DOCUME~1\Jim\LOCALS~1\Temp\GLB1A2B.EXE|||L -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 34,205 bytes Report generated in 0.240 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
|
|
03-14-2004, 03:49 PM
|
#4 (permalink) |
|
Wehret Den Anfängen!
Location: Ontario, Canada
|
Too much information in that post for me to easily read.
Launch Spybot in "advanced" mode. Select "Tools", then "System startup". Now, if you click on the filename part of the list, you'll get a popup description of the program. It will generally say if it is spyware. If you don't find any spyware: Click on "Export". Save the file. Copy and paste the file and post it here. As for messanger service, I don't know winXP well enough, but: Start::Programs::Administrative Tools::Services Find "Messanger" in the list of services. Right click on messanger, select "Properties". Change Startup type to Disabled Right click on "Messanger" again. Select "Stop".
__________________
Last edited by JHVH : 10-29-4004 BC at 09:00 PM. Reason: Time for a rest. |
|
|
|
03-14-2004, 06:45 PM
|
#6 (permalink) |
|
Junkie
|
--- Search result list ---
--- Spybot-S&D version: 1.2 --- 2004-02-26 Includes\Cookies.sbi 2004-02-29 Includes\Dialer.sbi 2004-02-29 Includes\Hijackers.sbi 2004-02-26 Includes\Keyloggers.sbi 2004-02-29 Includes\Malware.sbi 2003-03-16 Includes\plugin-ignore.ini 2004-03-09 Includes\Revision.sbi 2004-02-26 Includes\Security.sbi 2004-02-29 Includes\Spybots.sbi 2003-03-16 Includes\Temporary.sbi 2004-02-26 Includes\Tracks.uti 2004-02-29 Includes\Trojans.sbi --- System information --- Windows XP (Build: 2600) Service Pack 1 / DataAccess: Security Update for Microsoft Data Access Components / Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information] / Windows Media Player: Windows Media Update 817787 / Windows Media Player: Windows Media Update 828026 / Windows XP / SP1: Windows XP Service Pack 1a / Windows XP / SP2: Windows XP Hotfix - KB810217 / Windows XP / SP2: Windows XP Hotfix (SP2) [See KB810243 for more information] / Windows XP / SP2: Advanced Networking Pack for Windows XP / Windows XP / SP2: Windows XP Hotfix - KB820291 / Windows XP / SP2: Windows XP Hotfix - KB821253 / Windows XP / SP2: Windows XP Hotfix - KB822603 / Windows XP / SP2: Windows XP Hotfix - KB823182 / Windows XP / SP2: Windows XP Hotfix - KB824105 / Windows XP / SP2: Windows XP Hotfix - KB824141 / Windows XP / SP2: Windows XP Hotfix - KB824146 / Windows XP / SP2: Windows XP Hotfix - KB825119 / Windows XP / SP2: Windows XP Hotfix - KB826939 / Windows XP / SP2: Windows XP Hotfix - KB826942 / Windows XP / SP2: Windows XP Hotfix - KB828028 / Windows XP / SP2: Windows XP Hotfix - KB828035 / Windows XP / SP2: Windows XP Hotfix - KB829558 / Windows XP / SP2: Windows XP Hotfix (SP2) Q322011 / Windows XP / SP2: Windows XP Hotfix (SP2) Q327979 / Windows XP / SP2: Windows XP Hotfix (SP2) Q814995 / Windows XP / SP2: Windows XP Hotfix (SP2) Q819696 --- Startup entries list --- Spybot-S&D Startup list report, 14/03/2004 4:07:20 PM Located: HK_CU:Run, MsnMsgr file: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background Located: HK_CU:Run, STYLEXP file: C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide Located: HK_CU:Run, Yahoo! Pager file: C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet Located: HK_CU:Run, WINT file: C:\WINDOWS\System32\wcpsu.exe MD5: 12694B3F3462619DEC289041733BE2D9 Located: HK_LM:Run, IgfxTray file: C:\WINDOWS\System32\igfxtray.exe MD5: 26F4DF6C5A39420CF1A6AD2C3FD7B3F8 Located: HK_LM:Run, HotKeysCmds file: C:\WINDOWS\System32\hkcmd.exe MD5: DAA3B4C4A574ADEEBC99A7029DEDACDD Located: HK_LM:Run, TrackPointSrv file: tp4serv.exe Located: HK_LM:Run, TP4EX file: tp4ex.exe Located: HK_LM:Run, TPHOTKEY file: C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe MD5: 7A0AB3CEED7BDA5EC61EDF62D7102965 Located: HK_LM:Run, AGRSMMSG file: AGRSMMSG.exe Located: HK_LM:Run, QuickTime Task file: "C:\Program Files\QuickTime\qttask.exe" -atboottime Located: HK_LM:Run, Mirabilis ICQ file: C:\PROGRA~1\ICQ\ICQNet.exe MD5: 4E34897AC56FE596D9D445A82E392D57 Located: HK_LM:Run, NAV Agent file: C:\PROGRA~1\NORTON~1\navapw32.exe MD5: 89EDB06C1EA1A7F4A513FF1DBECBF73B Located: HK_LM:Run, LTSMMSG file: LTSMMSG.exe Located: HK_LM:Run, TkBellExe (DISABLED) file: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Located: Startup (common), Adobe Gamma Loader.lnk file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe MD5: C2FF17734176CD15221C10044EF0BA1A Located: Startup (common), BlackICE Utility.lnk file: C:\Program Files\ISS\BlackICE\blackice.exe MD5: 9166615A9EA43018CDCB822AE9BD2D1D Located: Startup (common), Microsoft Office.lnk file: C:\Program Files\Microsoft Office\Office\OSA9.EXE MD5: 1A92B01BA716EB8C863BD4BE6A71CB32 --- Browser helper object list --- Spybot-S&D Browser helper object report, 14/03/2004 4:07:20 PM {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Class file: AcroIEHelper.ocx Attributes: Date: 02/03/2001 12:02:04 PM MD5: 8394ABFC1BE196A62C9F532511936DF7 Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\ Short name: ACROIE~1.OCX Size: 37808 bytes Version: 0.1.0.0 Class name: AcroIEHlprObj Class CLSID database: legitimate software Description: Adobe Acrobat reader Filename: ACROIEHELPER.OCX {53707962-6F74-2D53-2644-206D7942484F} Class file: SDHelper.dll Attributes: archive Date: 16/03/2003 1:02:00 AM MD5: 423CBD3CFAEEB62C5C97A9449567B474 Path: C:\PROGRA~1\SPYBOT~1\ Short name: Size: 711168 bytes Version: 255.255.255.255 CLSID database: legitimate software Description: Spybot-S&D IE Browser plugin Filename: SDHelper.dll {BDF3E430-B101-42AD-A544-FADC6B084872} Class file: NavShExt.dll Attributes: archive Date: 27/02/2002 11:07:30 AM MD5: 3AB9B9A20D4D8B6A1632910AB6C56FD9 Path: C:\Program Files\Norton AntiVirus\ Short name: Size: 102400 bytes Version: 0.8.0.0 Class name: CNavExtBho Class CLSID database: legitimate software Description: Norton Antivirus Filename: NavShExt.dll Name: NAV Helper --- ActiveX list --- Spybot-S&D ActiveX report, 14/03/2004 4:07:20 PM Microsoft XML Parser for Java Download location: file://C:\WINDOWS\Java\classes\xmldso.cab Name: Microsoft XML Parser for Java Version: 1,0,9,2 Yahoo! Chat Download location: http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab Last modified: Sat, 29 Sep 2001 00:18:53 GMT Name: Yahoo! Chat Version: 1,0,0,381 {00B71CFB-6864-4346-A978-C0A14556272C} Class file: msgrchkr.dll Attributes: archive Date: 29/05/2003 3:00:18 PM MD5: 42D567DF86B9B7AC4A89664C9651B68B Path: C:\WINDOWS\Downloaded Program Files\ Short name: Size: 77408 bytes Version: 0.7.0.1 Class name: Checkers Class Contains file: msgrchkr.dll Attributes: archive Date: 29/05/2003 3:00:18 PM MD5: 42D567DF86B9B7AC4A89664C9651B68B Path: C:\WINDOWS\Downloaded Program Files\ Short name: Size: 77408 bytes Version: 0.7.0.1 Download location: http://messenger.zone.msn.com/binary/msgrchkr.cab Last modified: Tue, 23 Sep 2003 20:14:14 GMT Version: 7,1,9502,1 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} Class file: QTPlugin.ocx Attributes: archive Date: 21/01/2004 4:04:36 PM MD5: CE3D865CCF4267C85934D9B7CA8521F2 Path: C:\Program Files\QuickTime\ Short name: Size: 327736 bytes Version: 0.6.0.4 Class name: QuickTime Object CLSID database: legitimate software Description: Apple Quicktime Filename: QTPLUGIN.OCX Download location: http://www.apple.com/qtactivex/qtplugin.cab Last modified: Thu, 09 Oct 2003 18:24:41 GMT Version: 6,4,0,29 {166B1BCA-3F9C-11CF-8075-444553540000} Class file: SwDir.dll Attributes: archive Date: 11/02/2003 6:02:58 AM MD5: 92FA0AE21D3A08B65D291724AA7D0E43 Path: C:\WINDOWS\system32\Macromed\Director\ Short name: Size: 32768 bytes Version: 0.8.0.5 Class name: Shockwave ActiveX Control CLSID database: unknown class Description: Macromedia ShockWave Flash Player 7 Filename: SWDIR.DLL Download location: http://download.macromedia.com/pub/s...irector/sw.cab Last modified: Tue, 08 Oct 2002 18:22:24 GMT Version: 8,5,1,102 {56336BCB-3D8A-11D6-A00B-0050DA18DE71} Class file: RdxIE.dll Attributes: archive Date: 28/01/2004 12:13:52 PM MD5: C350FD4B920362062BD39EA31007ACFB Path: C:\WINDOWS\Downloaded Program Files\ Short name: Size: 520349 bytes Version: 0.6.0.0 Class name: RdxIE Class CLSID database: confirmed malware Description: Netster Contains file: RdxIE.dll Attributes: archive Date: 28/01/2004 12:13:52 PM MD5: C350FD4B920362062BD39EA31007ACFB Path: C:\WINDOWS\Downloaded Program Files\ Short name: Size: 520349 bytes Version: 0.6.0.0 Download location: http://software-dl.real.com/183bba77...p/RdxIE601.cab Last modified: Wed, 28 Jan 2004 20:13:56 GMT Version: 6,0,0,10 {59131903-4A33-40D5-80C2-5242DD365AB3} Class file: MS3DVI~1.OCX Attributes: archive Date: 18/04/2003 6:17:30 AM MD5: 17609769953405A1225B13B470DB8F1D Path: C:\PROGRA~1\MILKSH~1\ Short name: MS3DVI~1.OCX Size: 987136 bytes Version: 0.1.0.0 Class name: MS3DViewerOCX Control Download location: http://www.swissquake.ch/chumbalum-s...DViewerOCX.cab Last modified: Sat, 19 Apr 2003 11:43:17 GMT Version: 1,0,0,6 {62475759-9E84-458E-A1AB-5D2C442ADFDE} Download location: http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe Last modified: Sun, 14 Dec 2003 18:03:23 GMT Version: 0,0,0,1 {74D05D43-3236-11D4-BDCD-00C04F9A3B61} Class file: xscan53.ocx Attributes: archive Date: 27/11/2003 4:40:00 PM MD5: 509CDDE8175702B1FF4E2B43F0332436 Path: C:\WINDOWS\DOWNLO~1\ Short name: Size: 435712 bytes Version: 0.5.0.70 Class name: HouseCall Control CLSID database: legitimate software Description: Trend Micro Antivirus online scanner Filename: XSCAN53.OCX Contains file: aucfg.ini Attributes: archive Date: 01/11/2002 4:17:50 PM MD5: AF03B6DA00B295F2B2DFD949B7290F53 Path: C:\WINDOWS\ Short name: Size: 256 bytes Version: 255.255.255.255 Contains file: loadhttp.dll Attributes: archive Date: 15/10/2002 2:29:40 PM MD5: A91762435EDBE0B0C9E6B19512934319 Path: C:\WINDOWS\ Short name: Size: 77824 bytes Version: 0.1.0.32 Contains file: mfc42.dll Attributes: archive Date: 18/08/2001 5:00:00 AM MD5: 2E9656044FE42AC91E6EE49DC47A5472 Path: C:\WINDOWS\System32\ Short name: Size: 995383 bytes Version: 0.6.0.0 Contains file: msvcrt.dll Attributes: Date: 29/08/2002 2:41:08 AM MD5: 886A6C3C185AAEDECD00477F72279B07 Path: C:\WINDOWS\System32\ Short name: Size: 323072 bytes Version: 0.7.0.0 Contains file: patchw32.dll Attributes: archive Date: 14/12/2001 1:34:46 PM MD5: 6C6CAC2D5F122CF24B92EE12CB87D8A6 Path: C:\WINDOWS\ Short name: Size: 164864 bytes Version: 0.5.0.1 Contains file: runtsckl.exe Attributes: archive Date: 27/11/2003 4:40:04 PM MD5: FBD7758A9AD865A4FAC3A56C0DF0FAC9 Path: C:\WINDOWS\ Short name: Size: 99328 bytes Version: 0.1.0.0 Contains file: tmupdate.ini Attributes: archive Date: 04/07/2002 3:05:34 PM MD5: 787089A662510400220211AD5A431F06 Path: C:\WINDOWS\ Short name: Size: 269 bytes Version: 255.255.255.255 Contains file: xscan53.ocx Attributes: archive Date: 27/11/2003 4:40:00 PM MD5: 509CDDE8175702B1FF4E2B43F0332436 Path: C:\WINDOWS\Downloaded Program Files\ Short name: Size: 435712 bytes Version: 0.5.0.70 Download location: http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab Last modified: Fri, 05 Dec 2003 03:12:29 GMT Version: 5,70,0,1079 {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} Class file: messengerstatsclient.dll Attributes: archive Date: 29/05/2003 3:00:20 PM MD5: B069B555A00AA026F657AA4FD13AE154 Path: C:\WINDOWS\Downloaded Program Files\ Short name: MESSEN~1.DLL Size: 160864 bytes Version: 0.7.0.1 Class name: MessengerStatsClient Class Contains file: messengerstatsclient.dll Attributes: archive Date: 29/05/2003 3:00:20 PM MD5: B069B555A00AA026F657AA4FD13AE154 Path: C:\WINDOWS\Downloaded Program Files\ Short name: MESSEN~1.DLL Size: 160864 bytes Version: 0.7.0.1 Download location: http://messenger.zone.msn.com/binary...tatsClient.cab Last modified: Tue, 23 Sep 2003 20:14:14 GMT Version: 7,1,9502,1 {9F1C11AA-197B-4942-BA54-47A8489BB47F} Class file: iuctl.dll Attributes: archive Date: 31/01/2004 12:39:50 AM MD5: 5BC0EE4544F65976945F5B1010172032 Path: C:\WINDOWS\System32\ Short name: Size: 115512 bytes Version: 0.5.0.4 Class name: Update Class CLSID database: legitimate software Description: Windows Update Filename: %WINDIR%\System32\iuctl.dll,iuengine.dll Contains file: iuctl.dll Attributes: archive Date: 31/01/2004 12:39:50 AM MD5: 5BC0EE4544F65976945F5B1010172032 Path: C:\WINDOWS\System32\ Short name: Size: 115512 bytes Version: 0.5.0.4 Contains file: iuengine.dll Attributes: archive Date: 09/02/2004 9:09:36 PM MD5: 920DDB6C300D8F54E3D64D7B733C9D17 Path: C:\WINDOWS\System32\ Short name: Size: 183064 bytes Version: 0.5.0.4 Download location: http://v4.windowsupdate.microsoft.co...8004.123900463 Last modified: Tue, 26 Aug 2003 01:19:52 GMT Version: 5,4,3790,14 {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} Class file: NSVPLA~1.DLL Attributes: archive Date: 10/12/2003 2:36:06 PM MD5: 7DE2078460CCE8F2E7E20362434B836B Path: C:\PROGRA~1\COMMON~1\NSV\ Short name: NSVPLA~1.DLL Size: 112128 bytes Version: 0.1.0.0 Class name: NsvPlayX Control Download location: http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab Last modified: Mon, 15 Dec 2003 19:07:26 GMT Version: 1,0,0,997 {D27CDB6E-AE6D-11CF-96B8-444553540000} Class file: Flash.ocx Attributes: archive Date: 08/12/2003 2:01:58 PM MD5: F7E435D02F7A48120B746E33254A70BC Path: C:\WINDOWS\System32\macromed\flash\ Short name: Size: 933888 bytes Version: 0.7.0.0 Class name: Shockwave Flash Object CLSID database: legitimate software Description: Macromedia Shockwave Flash Player Download location: http://download.macromedia.com/pub/s...sh/swflash.cab Last modified: Thu, 11 Dec 2003 15:54:18 GMT Version: 7,0,19,0 --- Process list --- Spybot-S&D process list report, 14/03/2004 4:07:20 PM PID: 0 ( 0) [System] PID: 4 ( 0) System PID: 280 ( 460) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe PID: 444 ( 460) C:\Program Files\Internet Explorer\iexplore.exe PID: 460 ( 216) C:\WINDOWS\Explorer.EXE PID: 616 ( 4) \SystemRoot\System32\smss.exe PID: 644 ( 460) C:\WINDOWS\System32\hkcmd.exe PID: 648 ( 460) C:\WINDOWS\LTSMMSG.exe PID: 668 ( 460) C:\WINDOWS\System32\tp4serv.exe PID: 680 ( 616) csrss.exe PID: 704 ( 616) \??\C:\WINDOWS\system32\winlogon.exe PID: 748 ( 704) C:\WINDOWS\system32\services.exe PID: 760 ( 704) C:\WINDOWS\system32\lsass.exe PID: 764 ( 460) C:\WINDOWS\AGRSMMSG.exe PID: 900 ( 748) C:\WINDOWS\System32\ibmpmsvc.exe PID: 932 ( 748) C:\WINDOWS\system32\svchost.exe PID: 956 ( 748) C:\WINDOWS\System32\svchost.exe PID: 980 ( 748) C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe PID: 1060 ( 460) C:\Program Files\Common Files\Real\Update_OB\realsched.exe PID: 1116 ( 460) C:\PROGRA~1\NORTON~1\navapw32.exe PID: 1140 ( 460) C:\Program Files\MSN Messenger\MsnMsgr.Exe PID: 1156 ( 460) C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe PID: 1176 ( 460) C:\WINDOWS\System32\wcpsu.exe PID: 1180 ( 748) svchost.exe PID: 1216 ( 748) svchost.exe PID: 1232 (1980) C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe PID: 1320 ( 460) C:\Program Files\ISS\BlackICE\blackice.exe PID: 1444 ( 748) C:\WINDOWS\system32\spoolsv.exe PID: 1552 ( 748) C:\WINDOWS\system32\crypserv.exe PID: 1588 ( 748) C:\Program Files\Norton AntiVirus\navapsvc.exe PID: 1620 ( 748) C:\WINDOWS\System32\QCONSVC.EXE PID: 1664 ( 748) C:\Program Files\ISS\BlackICE\rapapp.exe PID: 1752 ( 748) C:\WINDOWS\System32\svchost.exe PID: 1980 ( 460) C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe PID: 2032 (1076) C:\PROGRA~1\ICQ\ICQ.exe PID: 2864 ( 460) C:\WINDOWS\system32\mmc.exe --- Browser start & search pages list --- Spybot-S&D browser pages report, 14/03/2004 4:07:20 PM HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page C:\WINDOWS\System32\blank.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page http://www.microsoft.com/isapi/redir...ie&ar=iesearch HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page about:blank HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page %SystemRoot%\system32\blank.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page http://www.microsoft.com/isapi/redir...ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL http://www.microsoft.com/isapi/redir...r=6&ar=msnhome HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL http://www.microsoft.com/isapi/redir...ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm --- Winsock Layered Service Provider list --- Spybot-S&D winsock LSP report, 14/03/2004 4:07:20 PM NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B}) NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC}) NS Provider ( 3) Network Location Awareness (NLA) Namespace ({6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}) Protocol ( 1) MSAFD Irda [IrDA] ({3972523D-2AF1-11D1-B655-00805F3642CC}) Protocol ( 2) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192}) Protocol ( 3) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192}) Protocol ( 4) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192}) Protocol ( 5) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A}) Protocol ( 6) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A}) Protocol ( 7) MSAFD NetBIOS [\Device\NetBT_Tcpip_{23D04F0F-F793-4D76-932E-B3FBE1178335}] SEQPACKET 4 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol ( 8) MSAFD NetBIOS [\Device\NetBT_Tcpip_{23D04F0F-F793-4D76-932E-B3FBE1178335}] DATAGRAM 4 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol ( 9) MSAFD NetBIOS [\Device\NetBT_Tcpip_{18AF4567-703D-45D0-B813-56EBC194EF7E}] SEQPACKET 3 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (10) MSAFD NetBIOS [\Device\NetBT_Tcpip_{18AF4567-703D-45D0-B813-56EBC194EF7E}] DATAGRAM 3 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (11) MSAFD NetBIOS [\Device\NetBT_Tcpip_{1FDEDE8E-97A5-41D1-843C-B64141323D51}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (12) MSAFD NetBIOS [\Device\NetBT_Tcpip_{1FDEDE8E-97A5-41D1-843C-B64141323D51}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (13) MSAFD NetBIOS [\Device\NetBT_Tcpip_{94CBE47D-DDB6-4319-9B84-41B825FE08E2}] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (14) MSAFD NetBIOS [\Device\NetBT_Tcpip_{94CBE47D-DDB6-4319-9B84-41B825FE08E2}] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (15) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9384846F-014D-4CAE-A201-8CA220839B78}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192}) Protocol (16) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9384846F-014D-4CAE-A201-8CA220839B78}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192}) |
|
|
| Tags |
| galore, popup |
|
|
